Head the plea of a desperate man someone :) It was a beautiful day, everything was set. The Prestige 782R routers were delivered, and we were waiting to take delivery of our leased copper line between our offices. Beautiful, that is, until our telcom operator tells us out-of-the-blue that they cannot deliver the copper, and are backing out of the deal, and will (hopefully-or-else) reimburse us for the cost we will have in returning the routers to our retailer. This, however, leaves us in a bit of a bind since we need to connect these Locations with something other then the ISDN we currently have. I can get ADSL in the remote location, our main office has a 512/512 SDSL with 16 public IP''s. The main office is protected by a Debian 3.0 box with shorewall 1.3.10-1, which is also proxy-arping the systems in our DMZ. The Shorewall box even has another eth-card which isn''t doing anything as of yet. If I go with ADSL in the remote area, I will get a Dynamic IP and be required to log on to the service with a client on the gateway, this can be done, I have service from the same provider at my house. The remote site only has a few (3) PC''s The main office runs a 192.168.221.0/24 network internally, and is a Windows based AD setup. What I would like to accomplish is a Net-to-net setup. And be able to connect the remote site to our internal network. What do I want to do here? Putting a PC in each end with Linux backed GPL Software would not be a problem. Would putting a cpl of RH-boxen with the Free S/WAN rpm''s be a good way? Then proxy-arping that system to behind our FW? Put a VPN proxy in parallel with our shorewall on a public IP? An Astaro box in each end? (If I could loag the login script onto it). Sacrifice a (rubber)chicken? I hope I described my case adequately, and I hope there is no hard feelings In asking not-strictly-shorewall questions here (which I have a tendency to do Quite often [insert standard blurb a bout the fact that I still think that this list possesses a remarkable welth about networking]
> From: Jan Johansson [mailto:jan.johansson@nwl.se]=20 >=20 > I can get ADSL in the remote location, our main office has a=20 > 512/512 SDSL=20 > with 16 public IP''s. The main office is protected by a Debian=20 > 3.0 box with shorewall 1.3.10-1, which is also proxy-arping=20 > the systems in our DMZ. The Shorewall box even has another=20 > eth-card which isn''t doing anything as of yet.so it is a collapsed firewall with local, DMZ and external net directly attached to it? Do the dmz-machines have public addresses as well? Does FreeSWAN support Debian? Are there public IPs left for a second gateway?> If I go with ADSL in the remote area, I will get a Dynamic IP=20 > and be required to log on to the service with a client on the=20 > gateway, this can be done, I have service from the same=20 > provider at my house. The remote site only has a few (3) PC''sDo you already have a ADSL-Router or -modem? A linux box acting as gateway/firewall would be fine (I use it here for connecting five places with freeswan). Could also be used for services like squid, dhcp, local nameserver,... dynamic IP is no problem at all.> The main office runs a 192.168.221.0/24 network internally,=20 > and is a Windows based AD setup.=20 >=20 > What I would like to accomplish is a Net-to-net setup. And be=20 > able to connect the remote site to our internal network. >=20 > What do I want to do here? Putting a PC in each end with=20 > Linux backed GPL=20 > Software would not be a problem. Would putting a cpl of=20 > RH-boxen with the Free S/WAN rpm''s be a good way? Then=20 > proxy-arping that system to behind our FW? Put a VPN proxy in=20 > parallel with our shorewall on a public IP? An Astaro box in=20 > each end? (If I could loag the login script onto it).=20 > Sacrifice a (rubber)chicken?I''m not sure why you want to proxy-arp the machines. I think its better to take a separate subnet for the remote site and set up routing. Of course you''ll need a wins-server, but you seem to know that :) You have to decide where to place the local VPN-Gateway. If it was on the standard gateway itself you would not have to change routes, but its also no problem to place it parallel to it (but you have one system more accessible from the outside). And yes, why not taking blackboxes like Astaro on both sides. It would be easier in the beginning but you would have less possibilities. There exist also patches for freeswan that allow NAT-traversal, eg you could place the vpn-gateway behind your debian-box.> I hope I described my case adequately, and I hope there is no=20I don''t know if I got the point of your question. IMHO it looks more like a networkdesign question than a technical one. Andreas
>so it is a collapsedCollapsed?>firewall with local, DMZ and external net directly >attached to it?Yes.>Do the dmz-machines have public addresses as well?Yes, we have a .240 netmask.>Does FreeSWAN support Debian?Yes, but it isn''t packaged afaik.>Are there public IPs left for a second >gateway?Yes.>Do you already have a ADSL-Router or -modem?No, We are running ISDN currently.>A linux box acting as >gateway/firewall would be fine (I use it here for connecting fiveplaces>with freeswan). Could also be used for services like squid, dhcp, local >nameserver,... >dynamic IP is no problem at all.A transparent bridge would be nice, but basic connectivity is all that is needed.>I''m not sure why you want to proxy-arp the machines.No, I am proxy-arping the systems in the DMZ, not the plan for the remote office.>Of course you''ll need a wins-server, but you seem to know that :)Yeap. That I have.>And yes, why not taking blackboxes like Astaro on both sides. It would >be easier in the beginning but you would have less possibilities. >There exist also patches for freeswan that allow NAT-traversal, eg you >could place the vpn-gateway behind your debian-box.Astaro costs money. I have even given NetGear FVS318GE some thought (black (well, blu actually)-box VPN gateway)>I don''t know if I got the point of your question. IMHO it looks more >like a networkdesign question than a technical one.Well, I just wanted some input on what would be a "smooth" way to do this, since time has become of the essence.
> From: Jan Johansson [mailto:jan.johansson@nwl.se]=20 >=20 > Collapsed?means: loc,DMZ and net attached to the same machine (=3Dwhat you have) =20> A transparent bridge would be nice, but basic connectivity is all that > is needed.with routing you have more possibilities to stop unwanted traffic to go through the slow VPN. =20 I don''t know if you will be able to access your DMZ from remote as a local user if you don''t put the vpn on the firewall. =20> >And yes, why not taking blackboxes like Astaro on both=20 > sides. It would > >be easier in the beginning but you would have less possibilities. > >There exist also patches for freeswan that allow=20 > NAT-traversal, eg you > >could place the vpn-gateway behind your debian-box. >=20 > Astaro costs money. I have even given NetGear FVS318GE some thought > (black (well, blu actually)-box VPN gateway)I also use Zywall 10 for vpn. Works good, also together with freeswan and is rather cheap. Only limit is that you have to use ''preshared secrets'' for authentication (no x509 or RSA-sigs). The main question remains: where to put the local vpn-server? As a separate box you can easily play around with it until it works, on the GW itself you would probably cause network interruptions until it works. And it doesn''t depend on whether you use linux or hardware boxes (only in additional functionality). its up to you what fits best your needs.
>with routing you have more possibilities to stop unwanted traffic to go >through the slow VPN.True of course>I don''t know if you will be able to access your DMZ from remote as a >local user if you don''t put the vpn on the firewall.Well, designing a separate zone, and duplicating the rules would work?>The main question remains: where to put the local vpn-server? As a >separate box you can easily play around with it until it works, on the >GW itself you would probably cause network interruptions until itworks. Separate box I would say. Or "black box" I have spare PC''s>And it doesn''t depend on whether you use linux or hardware boxes (only >in additional functionality). >its up to you what fits best your needs.Right now I am leaning towards black box approach, well.. after going over budget issues... again :)